Learn to Code Like a Pro in Just 10 Minutes (For WordPress Beginners)
By WPCodeBox
Learn how to disable the REST API in your WordPress site for logged-out users.
Your WordPress site, by default, exposes sensitive data through the publicly accessible /wp-json/ endpoint. Anyone can query user information, post details, and plugin data without logging in. This creates a security gap that automated bots actively exploit for attacks.
Many WordPress guides recommend disabling the REST API entirely, but this cripples essential features.
In this article, I’ll share how to disable REST API access for guests while preserving admin features.
The WordPress REST API is a standardized protocol that lets applications communicate with your website. Introduced in WordPress 4.4, it transforms your site into a data service that external tools can query and update.
The API delivers information in JSON format through special URLs like /wp-json/wp/v2/users. This machine-readable structure powers modern WordPress features, including the Gutenberg block editor and mobile app integrations.
By default, these endpoints are publicly accessible to everyone, including unauthenticated visitors. This openness creates the security vulnerability we’re about to address.
Unrestricted REST API access creates multiple security vulnerabilities on your WordPress site. Hackers routinely scan /wp-json/ endpoints to harvest data and plan attacks. This exposure violates the principle of least privilege by giving anonymous users more access than they need.
Guest access allows attackers to enumerate all registered usernames through the /wp-json/wp/v2/users endpoint. This reveals valid login names and user IDs for brute force attacks. Your site hands over half the credentials needed to break into accounts.
The API root endpoint exposes your site’s complete architecture. Anyone can discover which plugins and themes you use. Attackers use this information to target specific weaknesses in your configuration.
Open access also enables automated content theft. Bots scrape your posts, pages, and media in machine-readable JSON format. This same channel lets attackers execute DDoS attacks by repeatedly requesting large datasets, consuming your server resources and bandwidth.
Completely disabling the REST API breaks critical WordPress functionality. The Gutenberg block editor stops working, Site Health reports false errors, and many plugins fail. Modern WordPress depends on the API for core operations.
Guest restriction is the safe approach. This method requires authentication for all REST requests while preserving full functionality for logged-in users. Your admin features continue working normally while blocking anonymous access. The solution maintains security without breaking your site.
The clean and reliable way to disable REST API access without breaking your site is to use a PHP snippet. It uses a simple filter that runs on every API request and restricts REST API access to logged-in users while preserving full admin functionality.
You can simply copy and paste it directly into your website.
function disable_rest_api_for_guests($access) {
if(!is_user_logged_in()) {
return new WP_Error(
'rest_disabled',
__('The REST API is disabled for guests.'),
array('status' => 403)
);
}
return $access;
}
add_filter('rest_authentication_errors','disable_rest_api_for_guests');This code checks the authentication status early in the API request process. It allows logged-in administrators, editors, and users to use the API normally. Guests receive a 403 Access Disabled error instead of sensitive data.
You can customize the error message for your brand voice or adjust the status code if needed. Leave the core logic unchanged to maintain security boundaries.
You can add code snippets directly to your theme’s functions.php file, but this approach creates unnecessary risks. One small error can break your entire site, and theme updates will erase your changes. A better solution is to use a code snippet plugin.
WPCodeBox is a dedicated WordPress code snippets plugin that provides a safe, organized, and secure environment for adding PHP, CSS, SCSS, and JS snippets. It comes with a built-in error detection system that scans your code before execution. If it finds a syntax error, the plugin automatically disables the snippet, saving you from site crashes.
It also transforms how you manage your workflow. Instead of copying and pasting snippets manually, WPCodeBox lets you save snippets to a private cloud repository. You can save the snippet once and use it on all your client sites with a single click. You also get a conditional builder that lets you choose precisely where the snippet should run.
Now that it’s clear that WPCodeBox is the best WordPress snippet plugin, I’ll show you how to use it to add the above snippet to your website:
You can test your implementation by visiting your site’s /wp-json/wp/v2/users endpoint in a private browser window while logged out. You should see a JSON error response with the message “REST API access requires authentication” and a 403 Access disabled status code. This confirms guests can no longer access user data through the API.
Your REST API restriction now runs safely in the background. WPCodeBox protects your code from theme updates and makes management effortless. You can modify, disable, or improve this security rule anytime from your dashboard without touching a single theme file.
While disabling the REST API for guests is a best practice for security, some legitimate plugins require public API access to function correctly.
For example, The Events Calendar uses the REST API to load calendar views and events dynamically. Some SEO plugins often expose metadata for social sharing previews, and Embed blocks (like Twitter or YouTube cards) rely on the OEmbed endpoints to render content properly. If you disable the API globally, these features might stop working for your visitors.
If you’re using one of these plugins or one that requires access, you can modify the snippet to “whitelist” specific plugins while blocking everything else.
Here’s an updated snippet that whitelists Contact Form 7:
function disable_rest_api_for_guests( $access ) {
if ( ! empty( $access ) ) {
return $access;
}
if ( is_user_logged_in() ) {
return $access;
}
$whitelist = [
'contact-form-7',
];
$route = untrailingslashit( $GLOBALS['wp']->query_vars['rest_route'] );
foreach ( $whitelist as $namespace ) {
if ( strpos( $route, "/$namespace/" ) !== false ) {
return $access;
}
}
return new WP_Error(
'rest_disabled',
__( 'The REST API is disabled for guests.', 'textdomain' ),
array( 'status' => 403 )
);
}
add_filter( 'rest_authentication_errors', 'disable_rest_api_for_guests' );If you are using other plugins, you may need to add their “namespace” to the $whitelist array in the code above.
If you aren’t sure which namespace a plugin uses, check the plugin’s documentation or contact its support.
1. Should I disable the REST API?
You should generally not disable the REST API completely, as it is required for the WordPress Block Editor and many popular plugins like Jetpack and Contact Form 7 to function correctly. Instead of turning it off entirely, you can consider restricting access so that only logged-in administrators or users can view the data. This keeps your site functional while preventing external bots from scraping your content or user lists.
2. How to check if the REST API is enabled in WordPress?
You can easily check the status of your API by opening a web browser and visiting your website’s home URL followed by /wp-json. For example, visit https://yoursite.com/wp-json. If the API is enabled, you will see a page filled with structured text data (JSON) describing your site. If you see a “401 Unauthorized” message or a 404 error, the API is either disabled or successfully restricted.
3. How do I find my WordPress REST API base URL?
For most WordPress websites using pretty permalinks, the REST API base URL is simply your domain name followed by /wp-json. However, if your site uses “Plain” permalinks (like ?p=123), the base URL changes to ?rest_route=/. To find the exact URL programmatically, you can view your site’s HTML source code and search for the link tag with rel="https://api.w.org/", which points directly to your API endpoint.
